Contents:
In the course of two months (July and August), security experts at GitHub Robert Chen and Philip Papurt have discovered arbitrary code execution vulnerabilities in the open-source Node.js packages, tar, and @npmcli/arborist.
According to BleepingComputer, the tar package receives 20 million weekly downloads on average, whereas arborist gets downloaded over 300,000 times every week.
If not patched, the flaws that impact both Windows and Unix-based users could be abused by threat actors in order to attain arbitrary code execution on a system installing suspicious npm packages.
According to the researcher’s report, some of the vulnerabilities impacting Windows and Unix-based systems are rated high-severity and have been discovered in the aforementioned packages.
Chen and Papurt Rewarded
As a sign of appreciation and gratitude, both Robert Chen and Philip Papurt have received from the GitHub Security team a total bounty of $14,500 for their efforts in keeping GitHub secure.
Node.js package tar remains a core dependency for installers that have to unpack npm packages following the installation. Thousands of other open-source projects use the package, and such as it gets downloaded approximately 20 million times every week.
The arborist package is a core dependency relying on npm CLI and is used to handle node_modules trees.
These ZIP slip issues could constitute a serious concern for developers who use the npm CLI to install untrusted npm packages or who use “tar” to remove malicious packages.
Npm packages are typically sent as.tar.gz or.tgz files, which are ZIP-like archives that must be unpacked using installation tools. The tools used to extract these archives should ideally ensure that malicious paths do not overwrite existing files in the file system, particularly sensitive ones.
However, the npm package, when unpacked, could overwrite arbitrary files with the rights of the user running the npm install command due to the vulnerabilities outlined below:
CVE-2021-32803
CVE-2021-32804
CVE-2021-37701
CVE-2021-37712
CVE-2021-37713
CVE-2021-39134
CVE-2021-39135
As explained by Mike Hanley, Chief Security Officer at GitHub:
CVE-2021-32804, CVE-2021-37713, CVE-2021-39134, and CVE-2021-39135 specifically have a security impact on the npm CLI when processing a malicious or untrusted npm package install.
Some of these issues may result in arbitrary code execution, even if you are using –ignore-scripts to prevent the processing of package lifecycle scripts.
Users Urged to Patch the Flaws
The developers are encouraged by the package manager for JavaScript’s runtime Node.js npm to patch these flaws as soon as possible.
⚠️ action recommended: following newly discovered vulnerabilities in `tar` and `@npmcli/arborist`, we recommend upgrading to the latest versions of @nodejs 12 / 14 / 16 or npm 6 / 7 as well as updating any dependencies you may have on `tar`. read more: https://t.co/t4WaVwJ0mx
— npm (@npmjs) September 8, 2021
Developers should upgrade their tar dependency variants to 4.4.19, 5.0.11, or 6.1.10, and upgrade npmcli/arborist version 2.8.2 to fix the bugs.
For npm CLI, versions v6.14.15, v7.21.0, or newer include the patch. In addition, version 12, 14, or 16 of Node.js comes with a patched tar version and may be upgraded to GitHub safely.
GitHub’s comprehensive blog post provides all the information regarding these vulnerabilities.